Trying to figure out forms authentication

Randall Parker

Some questions on forms authentication:

1) Can one do one's own checking of username and password and totally bypass calling
FormsAuthentica tion.Authentica te?

2) does the "new FormsAuthentica tionTicket" create a cookie?

3) Can one send the cookie back to the browser just by doing the new call on the
FormsAuthentica tionTicket?

4) Does a session object contain nothing more than what is in the browser cookie?

5) Does the session object get created fresh from every forms submit using the
browser's cookie that ASP.Net requests from the browser on every page submit?

http://msdn.microsoft.com/library/de...redentials.asp

void SubmitBtn_Click (Object Source, EventArgs e)
{
// Pull credentials from form fields and try to authenticate.
if (FormsAuthentic ation.Authentic ate(UserName.Va lue,
UserPassword.Va lue))
{
FormsAuthentica tionTicket ticket = new
FormsAuthentica tionTicket(User Name.Value, false, 5000);

FormsAuthentica tion.RedirectFr omLoginPage(Use rName.Value,
Persist.Checked );
}
}

Dec 5 '05 #1

Subscribe Reply

1713

Steve C. Orr [MVP, MCSD]

Y can do your own checking and then use SetAuthCookie and then do a regular
Response.Redire ct to wherever you'd like.
Here's more information:
http://authors.aspalliance.com/aspxt...uthCookie.aspx
--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://SteveOrr.net

"Randall Parker" <NOtechieSPAMpu ndit_please@fut ure_avoidjunk_p undit.com>
wrote in message news:%2******** **********@TK2M SFTNGP14.phx.gb l...

Some questions on forms authentication:

1) Can one do one's own checking of username and password and totally
bypass calling FormsAuthentica tion.Authentica te?

2) does the "new FormsAuthentica tionTicket" create a cookie?

3) Can one send the cookie back to the browser just by doing the new call
on the FormsAuthentica tionTicket?

4) Does a session object contain nothing more than what is in the browser
cookie?

5) Does the session object get created fresh from every forms submit using
the browser's cookie that ASP.Net requests from the browser on every page
submit?

http://msdn.microsoft.com/library/de...redentials.asp

void SubmitBtn_Click (Object Source, EventArgs e)
{
// Pull credentials from form fields and try to authenticate.
if (FormsAuthentic ation.Authentic ate(UserName.Va lue,
UserPassword.Va lue))
{
FormsAuthentica tionTicket ticket = new
FormsAuthentica tionTicket(User Name.Value, false, 5000);

FormsAuthentica tion.RedirectFr omLoginPage(Use rName.Value,
Persist.Checked );
}
}

Dec 5 '05 #2

Venkat_KL

Hi Dear Randall Parker

1) Can one do one's own checking of username and password and totally bypass calling FormsAuthentica tion.Authentica te?
Yes , you can . You will be using the FormsAuthentica tion.Authentica te only
when you are giving the user information like name & password in web.config.
for example:
<authenticati on mode="Forms">
<forms loginUrl="login .aspx">
<credentials passwordFormat= "SHA1">
<user name="Venkat" password="venka t_password /
my_hashed_passw ord">
<user name="Randall" password="your password /
your_hashed_pas sword">

</credentials>
</forms>
</authenticaton>

<authorizatio n>
<deny users="?" />
</authorization>

In the above case you will be using
FormsAuthentica tion.Redirectfr omLoginPage(use rnametextBox.te xt,false)

Note: the second parameter will be normally false but it can take true or
false depending on the user's choice like if the user is browsing from the
browsing center, it is not advisable to use "True" , since it creates a
cookie and anybody can take advantage of it.

Otherwise you can retrieve both user_name & password from the database and
match with the user entered values and authenticate

and finally redirect him to the relevent page using Response.Redire ct.
2) does the "new FormsAuthentica tionTicket" create a cookie?
Provides a means of creating and reading the values of a forms
authentication cookie (containing an authentication ticket) as used by
FormsAuthentica tionModule.

http://msdn.microsoft.com/library/de...classtopic.asp

3) Can one send the cookie back to the browser just by doing the new call on the
FormsAuthentica tionTicket?
It has A set of read-only properties of an authentication cookie

http://dotnet.org.za/thea/archive/2004/07/27/3010.aspx
http://blogs.msdn.com/tmeston/archiv.../24/10505.aspx
4) Does a session object contain nothing more than what is in the browser cookie? ASP.NET gives you a better way(compared to other types of storing session
state) to store state for each user on the server with the Session object.

You can store data in the Session object, and it will be available from hit
to hit for the same Web browser. Sessions expire after 20 minutes of
inactivity by default, although you can change this behavior, as we'll show
shortly.

5) Does the session object get created fresh from every forms submit using the
browser's cookie that ASP.Net requests from the browser on every page submit?

Every time a new browser hits your ASP.NET application, a new Session object
is created for that Web browser.

A new session is created once for each new browser that hits your ASP.NET
Web site. If a user stops hitting your Web site, his Session will time out
after 20 minutes of inactivity, by default.

Bye
Venkat_KL

Dec 5 '05 #3

Similar topics

4845

Secure and Unsecure Web Directories using Forms Authentication

by: Billy Jacobs | last post by:

I have a website which has both secure and non-secure pages. I want to uses forms authentication. How do I accomplish this? Originally I had my web.config file in the root with Forms Authentication set up and it worked just fine. Then I realized that I needed to have some pages unsecure. I then created 2 directories. One named Secure and the other named Public. I placed my web.config file in my

.NET Framework

2522

web.config and forms authentication problem

by: MJ | last post by:

I'm building an application that has a file structure similar to the following: /myapp/user_login.aspx /myapp/user_page_1.aspx /myapp/user_page_2.aspx /myapp/user_page_3.aspx /myapp/admin/admin_login.aspx /myapp/admin/admin_page_1.aspx /myapp/admin/admin_page_2.aspx

.NET Framework

2748

forms authentication not authenticating

by: Greg Burns | last post by:

I have built a web app that uses forms authentication. There isn't a "remember me" feature (i.e. the authentication cookie is not permanent). When you close the browser, and open a new one, you must log in again. This is the behavior I expected. I just discovered that if I have a browser window open (to anything) prior to opening my web app in a new browser window, it appears to share session information. I can then open and close my...

ASP.NET

4874

Forms authentication in a subfolder problem, please help

by: Kris van der Mast | last post by:

Hi, I've created a little site for my sports club. In the root folder there are pages that are viewable by every anonymous user but at a certain subfolder my administration pages should be protected by forms authentication. When I create forms authentication at root level it works but when I move my code up to the subfolder I get this error: Server Error in '/TestProjects/FormsAuthenticationTestingArea' Application.

ASP.NET

3515

Multiple sessions and forms-based authentication

by: Rob | last post by:

I have an ASP.NET application that uses forms-based authentication. A user wishes to be able to run multiple sessions of this application simultaneously from the user's client machine. The web.config file is configured as such: <authentication mode="Forms"> <forms loginUrl="Login.aspx" protection="All" name="myApplication"/> </authentication>

ASP.NET

1672

Forms Auth. Question

by: V. Jenks | last post by:

Using forms authentication, can I control which pages and/or directories a user would have access to or is that only available with Windows authentication? Thanks!

ASP.NET

424

Forms Authentication

by: =?Utf-8?B?R3V1czEyMw==?= | last post by:

Hi, I created a web site on a remote server. To logon the user must enter a user id and password. The site is uses Forms Authentication. The web config file looks as follows: <configuration> <system.web> <customErrors mode="Off"/>

ASP.NET

5330

Forms authentication vs session variable

by: Bjorn Sagbakken | last post by:

In a web-application with login creds (user, pwd), these are checked against a user table on a SQL server. On a positive validation I have saved the userID, name, custno and role-settings in a userobject (custom build class) and added this to the session using as session variable like session For all other pages I have added a small test in the page_load event, basically testing if the session != null, but also checking if the...

ASP.NET

3576

Forms Authentication vs MembershipProvider

by: Rory Becker | last post by:

Having now created a Custom MembershipProvider that seems to work correctly with my Logon and ChangePassword controls, I am, as they say, a happy bunny. The next stange is to move on to the creation of content which adjusts based on the user. I have several pages which require a user to be logged on and several which do not. Prior to this point in time I have used 2 different master pages. one with a control which checks a session...

ASP.NET

9718

What is ONU?

by: marktang | last post by:

ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...

General

9596

Changing the language in Windows 10

by: Hystou | last post by:

Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...

Windows Server

10613

Problem With Comparison Operator <=> in G++

by: Oralloy | last post by:

Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...

C / C++

10363

Maximizing Business Potential: The Nexus of Website Design and Digital Marketing

by: jinu1996 | last post by:

In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...

Online Marketing

10368

The easy way to turn off automatic updates for Windows 10/11

by: Hystou | last post by:

Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...

Windows Server

9186

AI Job Threat for Devs

by: agi2029 | last post by:

Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...

Career Advice

7649

Access Europe - Using VBA to create a class based on a table - Wed 1 May

by: isladogs | last post by:

The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...

Microsoft Access / VBA

6876

Couldn’t get equations in html when convert word .docx file to html file in C#.

by: conductexam | last post by:

I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...

C# / C Sharp

5544

Trying to create a lan-to-lan vpn between two differents networks

by: TSSRALBI | last post by:

Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...

Networking - Hardware / Configuration